Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: update go version and dependency bumps for services #3573

Merged
merged 1 commit into from
Oct 19, 2023
Merged

chore: update go version and dependency bumps for services #3573

merged 1 commit into from
Oct 19, 2023

Conversation

shreddedbacon
Copy link
Member

General Checklist

  • Affected Issues have been mentioned in the Closing issues section
  • Documentation has been written/updated
  • PR title is ready for inclusion in changelog

Database Migrations

  • If your PR contains a database migation, it MUST be the latest in date order alphabetically

Update go version and dependencies for backup-handler, logs2notifications, and workflows

@shreddedbacon shreddedbacon changed the title chore: update logs2notifications go version and dependency bumps chore: update go version and dependency bumps for services Oct 18, 2023
@shreddedbacon
chore: update logs2notifications go version and dependency bumps
2e665bb 
chore: update workflows go version and dependency bumps
chore: update backup-handler go version and dependency bumps
chore: update actions-handler go version
@shreddedbacon shreddedbacon force-pushed the additional-go-dep-updates branch from 63cdcec to 2e665bb Compare October 18, 2023 20:40
@shreddedbacon shreddedbacon marked this pull request as ready for review October 18, 2023 22:11
@tobybellwood
Copy link
Member

Use of golang 1.21.3 to build instead of 1.19.6 shows a significant reduction in CVEs

actions-handler

  ## Overview
  
                      │               Analyzed Image               │              Comparison Image               
  ────────────────────┼────────────────────────────────────────────┼─────────────────────────────────────────────
    Target            │  testlagoon/actions-handler:pr-3573        │  uselagoon/actions-handler:v2.16.0          
      digest          │  4d8ef92d6508                              │  bcf0baef4b29                               
      platform        │ linux/amd64                                │ linux/amd64                                 
      provenance      │ https://github.com/uselagoon/lagoon.git    │ https://github.com/uselagoon/lagoon.git     
                      │  2e665bb0c5b4efa3655b749b0df75a5c517bc502  │  083aa40a8704b327c4cb7ba92cf83ad6a211aaf2   
      vulnerabilities │    5C    42H    16M     1L     2?          │    7C    53H    21M     1L     3?           
                      │    -2    -11     -5            -1          │                                             
      size            │ 18 MB (-912 kB)                            │ 19 MB                                       
      packages        │ 67                                         │ 67                                          
                      │                                            │                                             
    Base image        │  alpine:3                                  │  alpine:3                                   
      tags            │ also known as                              │ also known as                               
                      │   • 3.18                                   │   • 3.18                                    
                      │   • 3.18.4                                 │   • 3.18.4                                  
                      │   • latest                                 │   • latest                                  
      vulnerabilities │    0C     0H     0M     0L                 │    0C     0H     0M     0L

backup-handler

  ## Overview
  
                      │               Analyzed Image               │              Comparison Image               
  ────────────────────┼────────────────────────────────────────────┼─────────────────────────────────────────────
    Target            │  testlagoon/backup-handler:pr-3573         │  uselagoon/backup-handler:v2.16.0           
      digest          │  2916e3291087                              │  0c673bee2bf6                               
      platform        │ linux/amd64                                │ linux/amd64                                 
      provenance      │ https://github.com/uselagoon/lagoon.git    │ https://github.com/uselagoon/lagoon.git     
                      │  2e665bb0c5b4efa3655b749b0df75a5c517bc502  │  083aa40a8704b327c4cb7ba92cf83ad6a211aaf2   
      vulnerabilities │    5C    42H    16M     1L     2?          │    7C    53H    21M     1L     3?           
                      │    -2    -11     -5            -1          │                                             
      size            │ 16 MB (+409 kB)                            │ 16 MB                                       
      packages        │ 62                                         │ 62                                          
                      │                                            │                                             
    Base image        │  alpine:3                                  │  alpine:3                                   
      tags            │ also known as                              │ also known as                               
                      │   • 3.18                                   │   • 3.18                                    
                      │   • 3.18.4                                 │   • 3.18.4                                  
                      │   • latest                                 │   • latest                                  
      vulnerabilities │    0C     0H     0M     0L                 │    0C     0H     0M     0L

logs2notifications

  ## Overview
  
                      │               Analyzed Image               │              Comparison Image               
  ────────────────────┼────────────────────────────────────────────┼─────────────────────────────────────────────
    Target            │  testlagoon/logs2notifications:pr-3573     │  uselagoon/logs2notifications:v2.16.0       
      digest          │  de5b73a84289                              │  b39b20fda520                               
      platform        │ linux/amd64                                │ linux/amd64                                 
      provenance      │ https://github.com/uselagoon/lagoon.git    │ https://github.com/uselagoon/lagoon.git     
                      │  2e665bb0c5b4efa3655b749b0df75a5c517bc502  │  083aa40a8704b327c4cb7ba92cf83ad6a211aaf2   
      vulnerabilities │    5C    42H    17M     2L     2?          │    7C    53H    22M     2L     3?           
                      │    -2    -11     -5            -1          │                                             
      size            │ 19 MB (+588 kB)                            │ 18 MB                                       
      packages        │ 68                                         │ 68                                          
                      │                                            │                                             
    Base image        │  alpine:3                                  │  alpine:3                                   
      tags            │ also known as                              │ also known as                               
                      │   • 3.18                                   │   • 3.18                                    
                      │   • 3.18.4                                 │   • 3.18.4                                  
                      │   • latest                                 │   • latest                                  
      vulnerabilities │    0C     0H     0M     0L                 │    0C     0H     0M     0L

workflows

  ## Overview
  
                      │               Analyzed Image               │              Comparison Image               
  ────────────────────┼────────────────────────────────────────────┼─────────────────────────────────────────────
    Target            │  testlagoon/workflows:pr-3573              │  uselagoon/workflows:v2.16.0                
      digest          │  a86fce0ce7fd                              │  d3ccfd33c7ba                               
      platform        │ linux/amd64                                │ linux/amd64                                 
      provenance      │ https://github.com/uselagoon/lagoon.git    │ https://github.com/uselagoon/lagoon.git     
                      │  2e665bb0c5b4efa3655b749b0df75a5c517bc502  │  083aa40a8704b327c4cb7ba92cf83ad6a211aaf2   
      vulnerabilities │    5C    42H    16M     1L     2?          │    7C    53H    21M     1L     3?           
                      │    -2    -11     -5            -1          │                                             
      size            │ 16 MB (+427 kB)                            │ 16 MB                                       
      packages        │ 63                                         │ 63                                          
                      │                                            │                                             
    Base image        │  alpine:3                                  │  alpine:3                                   
      tags            │ also known as                              │ also known as                               
                      │   • 3.18                                   │   • 3.18                                    
                      │   • 3.18.4                                 │   • 3.18.4                                  
                      │   • latest                                 │   • latest                                  
      vulnerabilities │    0C     0H     0M     0L                 │    0C     0H     0M     0L

tobybellwood
tobybellwood approved these changes Oct 18, 2023
View reviewed changes
Copy link
Member

@tobybellwood tobybellwood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thanks for the update. Noted CVE reduction in comments.

Golang 1.21.3 released 2023-10-10 is the latest version.

The removal of dependence on forked mods for services is also noteworthy.

Approved

@shreddedbacon shreddedbacon merged commit 1576f0a into main Oct 19, 2023
@shreddedbacon shreddedbacon deleted the additional-go-dep-updates branch October 19, 2023 00:55
@tobybellwood
Copy link
Member

sample after more upstream updates:

  ## Overview
  
                      │               Analyzed Image               │              Comparison Image               
  ────────────────────┼────────────────────────────────────────────┼─────────────────────────────────────────────
    Target            │  testlagoon/actions-handler:main           │  uselagoon/actions-handler:v2.16.0          
      digest          │  bb507dfc6719                              │  4ea36546b6ec                               
      platform        │ linux/amd64                                │ linux/amd64                                 
      provenance      │ https://github.com/uselagoon/lagoon.git    │ https://github.com/uselagoon/lagoon.git     
                      │  9e96d2fc45859dcfbde18a7183d9ac94f122bac0  │  083aa40a8704b327c4cb7ba92cf83ad6a211aaf2   
      vulnerabilities │    0C     3H     0M     0L     2?          │    7C    58H    21M     1L     6?           
                      │    -7    -55    -21     -1     -4          │                                             
      size            │ 18 MB (+789 kB)                            │ 17 MB                                       
      packages        │ 63 (-4)                                    │ 67                                          
                      │                                            │                                             
    Base image        │  alpine:3                                  │  alpine:3                                   
      tags            │ also known as                              │ also known as                               
                      │   • 3.18                                   │   • 3.18                                    
                      │   • 3.18.4                                 │   • 3.18.4                                  
                      │   • latest                                 │   • latest                                  
      vulnerabilities │    0C     2H     0M     0L                 │    0C     2H     0M     0L

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tobybellwood tobybellwood tobybellwood approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shreddedbacon @tobybellwood